locked
Receiving Windows Integrated Authentication Prompt in Lync 2013 Web App RRS feed

  • Question

  • We are planning to use Lync Web App (Lync 2013) internally in order for some non-Lync enabled users to take part in conferences.  We've noticed that when these users click on the meeting link they receive a Windows integrated authentication prompt.  Since they are not Lync enabled, entering a username/password results in the user being told 'Your account is not configured for meetings'.  They can use the 'Are you a guest to this meeting? Sign in here instead' option after they receive that warning, but as you can imagine this has caused some confusion among our non-Lync users.

    My question...is there any way to prevent the Windows integrated authentication prompt from appearing and simply have the forms based authentication screen appear?  The Windows integrated authentication prompt only appears when connecting within our internal network.  External users simply receive the forms based authentication prompt.  Any help would be greatly appreciated.

     
    Thursday, September 12, 2013 6:56 PM

Answers

  • Finally we discover a new feature, silently introduced in the latest CUs (January 2014).

    Running a Get-CsWebServiceConfiguration, you'll notice an entry called UseDomainAuthInLWA set to True.

    Setting this feature to False, will disable the Domain Authentication process on Lync Web App. When a user will join a meeting using Lync Web App, it will be prompt to use a Guest account only. Join the meeting using the domain credentials will no longer be possible, but the credentials prompt will no longer be promped to users from non-domain computers.



    • Edited by LoremanReturns Friday, February 28, 2014 2:11 PM
    • Proposed as answer by LoremanReturns Friday, February 28, 2014 2:12 PM
    • Unproposed as answer by LoremanReturns Friday, February 28, 2014 2:13 PM
    • Marked as answer by Shawn-B Monday, March 3, 2014 3:45 PM
    Friday, February 28, 2014 2:08 PM

All replies

    • Marked as answer by Kent-Huang Wednesday, September 18, 2013 1:20 PM
    • Unmarked as answer by Shawn-B Wednesday, September 18, 2013 10:40 PM
    Friday, September 13, 2013 3:08 AM
  • Thanks, but neither of these is a solution.  The first link in your proposed solution explains how to disable Windows Authentication within IIS, but viewing the settings for /meet directory within IIS shows that Windows Authentication is already disabled.  I've already reviewed the second link and all it does is allow anonymous users into a meeting.  It doesn't change the logon behavior I describe.
    Wednesday, September 18, 2013 10:39 PM
  • Did you get an answer on this?  I'm having the same issue with being prompted by "Windows Security" while hitting the meeting link while on internal network.  Thank you!
    Thursday, October 17, 2013 4:35 PM
  • Unfortunately, no.  And I haven't had much of a chance to try a few things on my own.  Hope to do so soon.  I'll post something here if I do find some sort of solution.
    • Proposed as answer by wheelerthomas1 Friday, January 3, 2014 9:41 PM
    • Unproposed as answer by Shawn-B Monday, March 3, 2014 3:46 PM
    Saturday, October 19, 2013 1:12 PM
  • You need to open the lync 2013 admin console and select security then web service. Here edit the Global config and set integrated windows authentication to none.

    • Marked as answer by Shawn-B Wednesday, January 8, 2014 7:57 PM
    • Unmarked as answer by Shawn-B Monday, March 3, 2014 3:45 PM
    Friday, January 3, 2014 9:42 PM
  • Thanks!  Setting that to 'None' got rid of the Windows authentication prompt.  Unfortunately it also removes the ability for Lync enabled users to logon using their credentials (via forms auth), but that's not a big deal since all of your users should have the full Lync client installed on their machines or on their mobile devices.
    Wednesday, January 8, 2014 7:57 PM
  • You should'n do this 'cause  Lync wont'b be enable any more to distribute certificates to desktop client causing worst credetial issue.

    I'm facing the same problem only for webmeeting and browsers from different subnet (internal without firewall, but different).

    any suggestion grealtly appreciated.

    Red.

    Friday, February 7, 2014 12:31 PM
  • Setting Integrated Windows Authentication to none on the Global policy of Web Services is not the right solution.

    Make this settings you will be in trouble with the process of Lync clients authentication and if you make a test, you'll notice that all new Lync clients will not receive the personal certificate from the FrontEnd.


    Friday, February 7, 2014 2:53 PM
  • Finally we discover a new feature, silently introduced in the latest CUs (January 2014).

    Running a Get-CsWebServiceConfiguration, you'll notice an entry called UseDomainAuthInLWA set to True.

    Setting this feature to False, will disable the Domain Authentication process on Lync Web App. When a user will join a meeting using Lync Web App, it will be prompt to use a Guest account only. Join the meeting using the domain credentials will no longer be possible, but the credentials prompt will no longer be promped to users from non-domain computers.



    • Edited by LoremanReturns Friday, February 28, 2014 2:11 PM
    • Proposed as answer by LoremanReturns Friday, February 28, 2014 2:12 PM
    • Unproposed as answer by LoremanReturns Friday, February 28, 2014 2:13 PM
    • Marked as answer by Shawn-B Monday, March 3, 2014 3:45 PM
    Friday, February 28, 2014 2:08 PM
  • I know this may be late in the game on providing everyone a solution here however, I'll give it a shot. We have allot of users that use our SIP Trunk Service with Lync.  Many have had this same problem and the resolution is quite simple.

    Step 1.  -   Open Lync Server Control Panel

    Step 2.  -   Sign into Conrol Panel

    Step 3.  -   Click on the security tab located on the left pane window of Lync Server 2013 Control Panel

    Step 4.  -   At the top you will see three tab options  Registar | Web Service | PIN Policy.  Click Web Service

    Step 5.  -   Assuming you have only one configuration, highlight that configuration, click edit, click show details.

    Step 6.  -   Under Integrated Windows Authentication, change to None.

    Step 7.  -   Click Commit

    Step 8.  -   On Lync Server, click start, run, type in iisreset, press enter

    Step 9.  -   Take a bow...

    I hope this helps out.   You can always call Kanobe and ask for help if your stuck.  http://www.kanobe.com

    Respectfully,
    William J. Nelson


    Tuesday, July 14, 2015 1:35 AM
  • Hi,

    same problem as the thread initiator here. A authentication prompt when we try to use the Lync / Skype for Business WebApp and no success to login by a mobile client.

    Every change in the web server security options don`t shows any success. Any ideas? 

    I can exclude our ReverseProxy and LoadBalancer, because the authentication prompt will also shown if i try to connect me internal to https://POOLFQDN:4443/.... or https://FRONTENDFQDN:4443/...

    I´ve tried also to uninstall and reinstall the SfBWebService on every FrontEnd, but no success. And bootstrapper or setup and install from the deployment wizard are also gives us no success.

    My last option is to install a new SfB Pool and migrate to them...

    Thanks in advance

    Rene

    Monday, January 2, 2017 4:15 PM
  • Hi,

    so, also the migration to a new skype for business pool doesn`t have any affect. Failure goes on and on.... :-(

    BR

    Rene

    Tuesday, January 10, 2017 2:20 PM
  • Hello,

    some more news... also Mobile Client Login neither Android,Windows Mobile or iPhone don`t work.

    Debug from Android:

    INFO TRANSPORT CWebTicketSession.cpp:563 Received webticket resposne with status E_AuthError (E2-3-2)

    INFO TRANSPORT CWebTicketSession.cpp:1264 Raising WebTicketEvent for https://lyncwebext.xyz.xy/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=xyz.xy and https://lyncwebext.xyz.xy/WebTicket/WebTicketService.svc with status E_AuthError (E2-3-2)

    INFO TRANSPORT CAuthenticationResolver.cpp:370 Token retrieval for url https://lyncwebext.xyz.xy/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=xyz.xy completed with status E_AuthError (E2-3-2)

    INFO APPLICATION CAlertReporter.cpp:64 Alert received! Category 1, Type 201, level 0, error E_AuthError (E2-3-2), context '', hasAction=false

    INFO APPLICATION CTransportRequestRetrialQueue.cpp:735 Response received for req. GET-AuthenticatedUserGetRequest(0xb8a6a2c0): E_AuthError (E2-3-2) (RemoteNetworkPermanentError); Done with req.; Stopping resend timer

    DEBUG ErrorMessageUtils: getLocalizedErrorStringForErrorCode code: E_AuthError, type: AutoDiscoveryAlert, context: , localized string: Sie können nicht angemeldet werden. Prüfen Sie Ihre Kontoinformationen und Aktualisierungen, die Sie an den erweiterten Optionen vorgenommen haben.

    BR

    Rene

    Thursday, January 12, 2017 10:08 AM
  • SOLUTION!!!

    exactly described here:

    http://masteringlync.com/2014/08/26/quick-tip-iisarr-and-authenticated-traffic-failing/

    someone has enable Windows Authentication on the default website of our IIS ARR.... ahhhh....

    BR 

    Rene

    Thursday, January 12, 2017 4:51 PM